Recherches récentes
Options de recherche
#kerberos
Kerberoasting w/o the TGS-REQ
This article introduces an alternative Kerberoasting technique that doesn't require sending TGS-REQs to the Key Distribution Center (KDC).
I'm looking at setting up a bunch of self hosted services to replace our (self, family, friends) dependence on corporate cloud stuff. Email (custom, since none of the Just Add Server offerings do everything I need for free), shared drive (likely nextcloud, ugh), docs (likely collabora), jitsi for video, discourse for group forums, and so on.
I'd like to make all of this SSO, to the extent that it reasonably can be.
I'm probably going to use FreeIPA as the identity source of truth, but I'm finding that there are enough new things I need to learn about centralized authentication that I'm having a hard time finding a starting point that doesn't require a bunch of other context. So I'm asking for help.
Does anyone know of a good guide to these sorts of concepts, preferably available online? I'm familiar with most of the other Linux sysadmin concepts and have plenty of hardware and bandwidth at my disposal.
If you don't have an answer but have followers who might, boosts would be appreciated.
Cute & Funny Animals 
Univention 𝗞𝗲𝘆𝗰𝗹𝗼𝗮𝗸 𝗶𝗻 𝗮𝗻𝘀𝗽𝗿𝘂𝗰𝗵𝘀𝘃𝗼𝗹𝗹𝗲𝗺 𝗦𝗲𝘁𝘂𝗽 𝗯𝗲𝘁𝗿𝗲𝗶𝗯𝗲𝗻: Im Workshop von @smeyer am 24. 1. auf dem #UniventionSummit werden praxisnahe Use Cases vorgestellt, die aus den Erfahrungen zahlreicher #Keycloak-Migrationen im vergangenen Jahr stammen. Themen wie die #Kerberos-Integration, #2FA mit #OTP, Hochverfügbarkeit und die Verbindung von zwei #IdentityProvidern stehen dabei im Fokus. Ein spannender Einblick für alle, die Keycloak professionell einsetzen möchten.
www.univention-summit.de
I used to say that I miss #SharePoint Server 2013 because #Kerberos was a lot less trouble than anything else currently in use for authentication.
But now with all this AI being put into everything I can say #SharePointServer 2013 has never looked sexier before today!
Dears, for my Linux desktop in the public sector pet project https://eu-os.gitlab.io ,
I need to learn about #freeipa identity management and #Kerberos. Any expert here at #38c3 in Hamburg with a bit of time?
Our matrix channel: #eu-os:kde.org
Do you by any chance run a #KDC Proxy? Then better patch those systems today.
CVE-2024-43639 - Windows KDC Proxy RCE requires no authentication and those systems are often exposed to the Internet #Kerberos
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43639
@thomholwerda Regarding security, #NFS (v3, and even v4 without kerberos) is clearly worse, in just not providing *any* security unless you guarantee your network is guarded against any unknown clients and ALL the machines on the network are perfectly secured.
Of course, #NFSv4 with one of the #kerberos modes enabled is very nice. In my personal opinion: clearly better -- it's "simple", doesn't contain any kind of "login" but just expects clients to always arrive with a valid kerberos ticket.
minor news on my #Xmoji (#X11 #emoji #keyboad): The #kqueue backend for watching the config file now works on #FreeBSD (as far as I can tell, hard to test every possible edge case).
I also want to add #inotify for #Linux. I just realized I'll need a Linux machine to properly do that. So, installing Debian in bhyve. Joined my samba domain, mounted my #kerberos-encrypted #NFS homedirs, couldn't login, no idea where to find diagnostic output with dreaded systemd ... but right now I found the solution to the problem:
# ln -s /usr/bin/zsh /usr/local/bin/zsh
Last week @abbra and I implemented IAKerb support in Samba. This week Stefan Metzmacher implemented support for it in Wireshark.
https://gitlab.com/wireshark/wireshark/-/merge_requests/15542
New cheatsheets pushed
https://github.com/r1cksec/cheatsheets
Including:
A proof of concept that exploits the failure to comply with the BSAM-PA-05 control within the BSAM methodology, which can be used by attacker to record and replay audio from a bluetooth device 
https://github.com/TarlogicSecurity/BlueSpy
A well-structured introduction to the basics of kerberos 
https://labs.lares.com/fear-kerberos-pt1
A nice overview of the features of the tool azurenum 
#Metasploit Framework 6.4 is out now 
New features include:
* Windows #Meterpreter support for indirect system calls
* Windows Meterpreter memory searching
* #Kerberos improvements (support for Diamond and Sapphire techniques)
* DNS configuration and query handling enhancements (minimize DNS leaks!)
* New interactive session types (PostgreSQL, MSSQL, MySQL, SMB)
* Discoverability improvements for module searching
Huge thanks to the community and our stellar team for their work developing new features, adding fresh modules, reporting and fixing bugs, and suggesting enhancements. We appreciate you.
https://www.rapid7.com/blog/post/2024/03/25/metasploit-framework-6-4-released/
@lattera @drscriptt Now here's some document in the hope it might help someone 
https://sekrit.de/webdocs/freebsd/nfs-jail-kerberos-samba.html
Im UCS Technik-Track auf dem #UniventionSummit stellt Emanuel Holzmann von h2 invent die Integration des Videotools #Meetling über #Keycloak in UCS vor.
Emanuel zeigt, wie durch #SAML und #OpenIDConnect eine nahtlose Anbindung möglich wird und die Nutzer*innen durch den Einsatz von #Kerberos weder Medienbrüche erleben noch separate Login-Fenster nutzen müssen.
Sehr spannend für alle, die mehr über die einfache Authentifizierung von Nutzer*innen erfahren möchten.
Feature of the week: Kerberos Support
Kerberos, a robust authentication protocol, plays a pivotal role in enhancing the security and convenience of enterprise systems. At the same time, by enabling single sign-on (SSO), it simplifies the login process and reduces the need for multiple password entries.
Learn more about the feature:
https://owncloud.com/features/kerberos
Brillante Historie gezielter kapitalistischer Angriffe auf #OpenSource und #dezentraleSozialeNetze:
https://cohost.org/Janet/post/1952079-ok-nun-auch-auf-deu
#Google tötete #XMPP.
#Microsoft tötete #Kerberos.
#Meta #Facebook #Threads attackiert nun #Mastodon #Fediverse.
Wie verhindert man das? So vorbildlich wie @kev das tat, als er wegen #Instagram kontaktiert wurde und mit den Worten absagte:
"Euer Antrieb sollte sein Menschen zu verbinden, nicht ihre Privatsphäre gewinnbringend zu verkaufen!"
https://fosstodon.org/@kev/110592625692688836
@lewdthewides Yeah... with #sftp servers supporting #LDAP + #Kerberos and #Wormhole existing, I just can't find myself being particularly sympathetic to them.
There was absolutely no reason to use some #proprietary service for it.
Here is my writeup for CVE-2023-28244, if you are interested in that sort of thing: https://terrapinlabs.io/posts/cve-2023-28244/